Help connecting to Cisco ASA with Openswan?
Hi,
I've been tasked with setting up a VPN connection from CentOS 6.1 (2.6.32-131.21.1.el6.x86_64) & Openswan (Openswan: Linux Openswan U2.6.32/K2.6.32-131.21.1.el6.x86_64 (netkey)) to a Cisco ASA. Unfortunately I don't have any experience with VPNs or Openswan but after a lot of Googling I have come up with an ipsec.conf file based upon the requirements of the Cisco ASA (below). I still can't get the tunnel to come up after many hours of trying, if anyone can point me in the right direction from the below information it would be very much appreciated, if any further information is require please let me know what you need & I will supply it? TIA, Jason Cisco ASA policy requirements: IKE Policy Message Encryption algorithm: AES256 Data Integrity: SHA DH-Group: Group 2 (1024 bit) Peer Authentication Method: Pre shared key IKE Lifetime: 8 hours (28,800 seconds) IPSec paramaters Mechanism for payload encryption: ESP ESP Transform: AES256 Data Integrity: SHA Security Association (SA) Lifetime: 1 hours (3,600 seconds) Perfect Forward Secrecy (PFS): Enabled (Group 2 Keys) Also to avoid conflict with the ASA side private LAN, they will only accept IP traffic across a VPN where the source host is presented as a public address. This has been done & the Linux box IP address is a private IP connected directly. Ipsec.conf version 2.0 # conforms to second version of ipsec.conf specification config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey #nat_traversal=yes #virtual_private= #oe=off # Enable this if you see "failed to find any available worker" # nhelpers=0 #interfaces="ipsec0=eth0" conn connect type=tunnel authby=secret left=<Linux public IP>/32 leftnexthop=%defaultroute right=<ASA public IP>/32 rightnexthop=%defaultroute Keyexchange=ike ike=aes256-sha1-modp1024 phase2alg=aes256-sha1 The secrets.conf file is: <ASA IP address> <Linux IP address> : PSK “<PSK as received>” Also I have added firewall rules: iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT iptables -I INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT iptables -I OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT iptables -I INPUT -p 50 -j ACCEPT iptables -I OUTPUT -p 50 -j ACCEPT Here is an excerpt from the Openswan log file after attempting to bring the tunnel up: Dec 11 17:30:01 <HOSTNAME> pluto[4123]: shutting down interface lo/lo ::1:500 Dec 11 17:30:01 <HOSTNAME> pluto[4123]: shutting down interface lo/lo 127.0.0.1:500 Dec 11 17:30:01 <HOSTNAME> pluto[4123]: shutting down interface eth0/eth0 <Linux IP>:500 Dec 11 17:30:03 <HOSTNAME> ipsec__plutorun: Starting Pluto subsystem... Dec 11 17:30:03 <HOSTNAME> pluto[4627]: nss directory plutomain: /etc/ipsec.d Dec 11 17:30:03 <HOSTNAME> pluto[4627]: NSS Initialized Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Non-fips mode set in /proc/sys/crypto/fips_enabled Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:4627 Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Non-fips mode set in /proc/sys/crypto/fips_enabled Dec 11 17:30:03 <HOSTNAME> pluto[4627]: LEAK_DETECTIVE support [disabled] Dec 11 17:30:03 <HOSTNAME> pluto[4627]: OCF support for IKE [disabled] Dec 11 17:30:03 <HOSTNAME> pluto[4627]: SAref support [disabled]: Protocol not available Dec 11 17:30:03 <HOSTNAME> pluto[4627]: SAbind support [disabled]: Protocol not available Dec 11 17:30:03 <HOSTNAME> pluto[4627]: NSS support [enabled] Dec 11 17:30:03 <HOSTNAME> pluto[4627]: HAVE_STATSD notification support not compiled in Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Setting NAT-Traversal port-4500 floating to off Dec 11 17:30:03 <HOSTNAME> pluto[4627]: port floating activation criteria nat_t=0/port_float=1 Dec 11 17:30:03 <HOSTNAME> pluto[4627]: NAT-Traversal support [disabled] Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: starting up 3 cryptographic helpers Dec 11 17:30:03 <HOSTNAME> pluto[4627]: started helper (thread) pid=140072313808640 (fd:10) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: started helper (thread) pid=140072303318784 (fd:12) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: started helper (thread) pid=140072292828928 (fd:14) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Using Linux 2.6 IPsec interface code on 2.6.32-131.21.1.el6.x86_64 (experimental code) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/cacerts': / Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/aacerts': / Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/ocspcerts': / Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/crls' Dec 11 17:30:03 <HOSTNAME> pluto[4627]: | selinux support is enabled. Dec 11 17:30:03 <HOSTNAME> pluto[4627]: listening for IKE messages Dec 11 17:30:03 <HOSTNAME> pluto[4627]: adding interface eth0/eth0 <Linux IP>:500 Dec 11 17:30:03 <HOSTNAME> pluto[4627]: adding interface lo/lo 127.0.0.1:500 Dec 11 17:30:03 <HOSTNAME> pluto[4627]: adding interface lo/lo ::1:500 Dec 11 17:30:03 <HOSTNAME> pluto[4627]: loading secrets from "/etc/ipsec.secrets" |
Hi again,
It's great that so many of you have taken the time to look at my problem so thanks for that. I've spent a few hours tonight trying to get the tunnel up & have made a bit more progress. I have changed the config file (as below) & although the tunnel still doesn't come up after looking at the log file it looks like phase 1 has worked, I've included the log file (as below) so if anyone can help move me to the next step please let me know, any help is really appreciated. TIA, Jase ------------------------------------------ ipsec.conf # basic configuration config setup protostack=netkey nat_traversal=no conn snt pfs=yes auto=start keyingtries=1 #ikeparams Keyexchange=ike ikelifetime=480m type=tunnel auth=esp authby=secret keylife=60m #Left security gateway, subnet behind it, next hop left=<Linux IP> right=<Cisco IP> rightnexthop=<Linux IP> ike=aes256-sha1-modp1024 phase2alg=aes256-sha1 ------------------------------------------ Log file: Dec 12 23:47:31 <HOSTNAME> pluto[20985]: adding interface eth0/eth0 <Linux IP>:500 Dec 12 23:47:31 <HOSTNAME> pluto[20985]: adding interface lo/lo 127.0.0.1:500 Dec 12 23:47:31 <HOSTNAME> pluto[20985]: adding interface lo/lo ::1:500 Dec 12 23:47:31 <HOSTNAME> pluto[20985]: loading secrets from "/etc/ipsec.secrets" Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: initiating Main Mode Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000] Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Vendor ID payload [Cisco-Unity] Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Vendor ID payload [XAUTH] Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring unknown Vendor ID payload [fe6889c39ec2923641caefcf37bd3c7f] Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series] Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Vendor ID payload [Dead Peer Detection] Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: Main mode peer ID is ID_IPV4_ADDR: '<Cisco IP>' Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024} Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:5ffc39d0 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024} Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000 Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received and ignored informational message Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Delete SA payload: deleting ISAKMP State #1 Dec 12 23:47:31 <HOSTNAME> pluto[20985]: packet from <Cisco IP>:500: received and ignored informational message |
Setting up IPSEC VPN tunnel between ASA and Linux
Jazsnap,
On the ASA side, in general I disable PFS; it causes problems even with devices that otherwise play well with ASA, like SonicWall. Setting up a tunnel from an ASA to OpensWAN has always been more difficult for me than having a SonicWall or a PIX or ASA as a peer. Try turning off Perfect Forward Secrecy. |
Thanks for the advice agentbuzz, unfortunately I don't have any control over the Cisco end but they have confirmed that PFS is definitely being used. I'm thinking that the below line may hold some clues but I'm not too sure how to interpret it, everything seems to be in order but not sure about +UP or +IKEv2ALLOW? Also could the order of the commands in the config file have any bearing?
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:5ffc39d0 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024} Regards, Jason |
Try changing IKE and SA lifetimes to same values? Can't remember a lot from CCNA and CCNP courses I had but I still recall something about key lifetimes should be the same. Not sure if that helps because IKE and SA ain't the same, but worth a shot?
|
[Solved]
Thanks for all the help & I now have this tunnel working, the problem was because I was missing the right subnet from the ipsec.conf file, as soon as that was added the tunnel came up at the first attempt. Apparently as the Cisco side didn't see the subnet it couldn't match our incoming connection & finish off phase 2 authentication. Here is the working ipsec.conf file for anyone who is interested:
config setup interfaces=%defaultroute # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey #plutodebug=all protostack=netkey nat_traversal=no # Enable this if you see "failed to find any available worker" conn test type=tunnel #Left security gateway, subnet behind it, next hop left=<Linux IP> leftsubnet=<Linux subnet>/24 right=<Cisco IP> rightsubnet=<Cisco subnet>/24 keyingtries=1 pfs=yes #ikeparams keyexchange=ike ikelifetime=480m #ipsecparams phase2=esp authby=secret keylife=60m auto=start ike=aes256-sha1-modp1024 phase2alg=aes256-sha1 |
All times are GMT -5. The time now is 06:21 AM. |